ÁTVR is the party responsible for the personal information which is processed at the institution.
ÁTVR is committed to following the government’s policy on improved public health and social responsibility on issues concerning alcohol and tobacco in harmony with the community. ÁTVR operates according to the laws and regulations listed on its website.
ÁTVR emphasises handling all personal information in compliance with the laws on privacy protection and treatment of personal information. The goal of the privacy protection policy is to help individuals understand what information ÁTVR collects, for what purpose and how this information is used.
The privacy protection policy covers personal information for which ÁTVR is responsible for processing, particularly in regard to ÁTVR’s customers and employees.
The policy is based on legislation No. 90/2018 on privacy protection and the treatment of personal information.
Personal information as defined by the policy is all information which can be traced directly or indirectly to a certain individual. Data which cannot be traced to a certain individual is not considered personal information.
Privacy protection representative
ÁTVR has appointed a privacy protection representative. His or her main tasks are as follows:
- Providing counselling on all matters connected to the protection of personal information
- Informing employees of their legal duties
- Monitoring that privacy protection laws are followed
- Serving as a contact person for the Privacy Protection Authority (Persónuvernd)
Enquiries, comments and remarks concerning personal information and privacy protection can be emailed to firstname.lastname@example.org.
When and how does ÁTVR work with personal information?
ÁTVR registers and stores information to an extent deemed necessary at each given time and depending on the projects that are being worked on. In most cases, ÁTVR receives personal information directly from the person whose details are being registered, that is, name, address, identification number (kennitala), telephone number, email address etc.
More extensive information is collected on some employees than others. The information can either be on paper or digital. Special care is taken when treating sensitive personal information, such as, health or relations information.
Great emphasis is placed on processing all personal information in accordance with the general regulations on the processing of personal information.
At ÁTVR, personal information is collected when:
- Someone sends a request, remark or complaint because of ÁTVR’s operations which contain personal information
- A customer orders a product
- An applicant for a position mentions another person as a referee
- Communications have taken place with a company or an institution for which the person in question works, where personal information has been disclosed
- Necessary personal information is requested from other institutions or companies
Information about employees and applicants
ÁTVR uses personal information about its employees in order to pay their salaries. Certain information is necessary to pay salaries, such as contact information, salary category, working hour registrations, labour union membership, bank information and pension fund information.
When someone applies for a job at ÁTVR, it is necessary to review personal information when evaluating applications, such as contact information, resumes, information on the applicant’s educational background, criminal record, results of job interviews, references from a third party and other communications with the applicant.
How is personal information used?
Personal information is only used for the purpose for which it was collected in the first place.
Generally, ÁTVR’s employees do not handle personal information, only when necessary in connection with certain projects that they are authorised to work on. Great care is taken to always process personal information in compliance with legislations and regulations on privacy protection.
For how long does ÁTVR store personal information?
According to legislation No. 77/2014 on public archives, ÁTVR is obliged to hand over information and it is illegal for ÁTVR to delete documents or data which the institution receives or which are created at the institution, unless with permission from the National Archives of Iceland (Þjóðskjalasafn). The obligation includes also that all documents and data received by ÁTVR, or which is created at ÁTVR, must be delivered to the National Archives of Iceland where they are permanently stored.
More detailed information on the National Archives of Iceland can be found on the institution’s website.
How is the safety of information guaranteed?
ÁTVR makes strict demands regarding maintaining the safety of personal information. Access to such information is limited and monitored. Strict demands are made in regard to the security of the institution’s facilities and computer systems. The same applies to the service providers that work for ÁTVR and work contracts are made with these parties.
All of ÁTVR’s employees must uphold confidentiality about issues they obtain knowledge of in the course of their work and are to follow the law, the orders of their superiors and the nature of the issue (that is, where it makes common sense to uphold confidentiality). Employees must uphold confidentiality even after they leave their position. The confidentiality obligation is included in the job contract with a referral to the legislation on the rights and obligation of state employees No. 70/1996.
Your rights according to the privacy protection legislation
According to the privacy protection legislation, those whose information has been registered have certain rights which are listed below. They can contact ÁTVR by sending an email to atvr(at)atvr.is and ask for a form which they can fill out to request information. Generally, ÁTVR responds to such requests and provides the information without a charge if only one copy is requested, otherwise a charge may be requested to cover the cost.
Requests for access to information are responded to within a month but the period can be extended by two months if the search is especially extensive. In such cases the person in question is notified of the reasons for the delay.
It is necessary to provide a legitimate ID when information is requested.
> Right to access
An individual has the right to know whether personal information about him or her has been collected and, if so, request access to it. However, this right can depend on limitations that concern the law and/or the interests of other individuals who are involved.
More extensive information about the right to access information can be found on the website of the Privacy Protection Authority.
An individual may also have the right to access data about him or herself according to the 15th article of the administrative law No. 37/1993 where an individual’s right to access data is covered, and according to the 14th article on the information legislation No. 140/2012. Here, there might be an overlap between sections which must be evaluated at each given time.
> Right to correct
An individual has the right to have personal information about him or her corrected if he or she considers it to be incorrect. However, it should be noted that according to legislation No. 77/2014 on public archives, it is often illegal to change data stored by ÁTVR. It may be possible to point out an error with a notification which is attached to the data when possible. It may also be possible to request an addition to the personal information stored by ÁTVR if the person in question believes it to be incomplete.
More extensive information about the right to correct personal information can be found on the website of the Privacy Protection Authority.
> The right to have information deleted / be forgotten
The right to have information deleted or the right to be forgotten does not apply to the processing of personal information at ÁTVR as ÁTVR falls under the law on public archives and must store all information received by the institution. In the privacy protection legislation, it is especially mentioned that the right to have personal information deleted and be forgotten does not apply when the law states that the information is to be preserved. Therefore, the right to delete / be forgotten does not apply to the personal information ÁTVR processes.
More extensive information about the right to have information deleted / be forgotten can be found on the website of the Privacy Protection Authority.
> The right to limitation of processing
An individual has the right to request that the processing of his or her information is limited under certain circumstances.
> The right to protest the processing of information
An individual has the right to protest the processing of personal information about him or herself when ÁTVR is undertaking such processing on the basis of public interests or the use of public authority.
More extensive information about the right to protest can be found on the website of the Privacy Protection Authority.
> The right to transport one’s own data
The right to transport one’s own data does only apply when the information is processed on the basis of an agreement or a contract. ÁTVR operates according to the law and therefore bases a very small part of its operations on personal information or approval or contract. Therefore, it is unlikely that this right applies to the work executed by ÁTVR as it is almost exclusively carried out on the basis of a legal obligation or public interests.
More extensive information about the right to transport one’s own data can be found on the website of the Privacy Protection Authority.
> Complaints due to the processing of personal information
If you believe that ÁTVR’s treatment of your personal information is not in accordance with the existing legislations and regulations on privacy protection you can send a complaint to the Privacy Protection Authority The Privacy Protection Authority is tasked with safekeeping the interests of the public so that human rights are not violated when information is processed. The institution supervises the laws and regulations on the processing of personal information.
It is also possible to refer issues that concern personal information and privacy protection by email to atvr(at)atvr.is.
On ÁTVR’s website you will find everything about cookies and their usage.
ÁTVR updates its privacy protection policy whenever there is reason to do so, such as in consistency with changes to laws and regulations or changes to how personal information is processed.
All changes which may be made to the policy take effect after its updated version has been published on ÁTVR’s website, www.vinbudin.is.
This privacy protection policy has been reviewed and approved by the executive committee on April 21st, 2020.
Disclaimer: The original text is published in Icelandic. This English translation is published for information only. In case of a possible discrepancy, the original Icelandic text applies.